Protecting against cyber risk a growing corporate concern

Cyber attacks, data breaches and stolen laptops create billions of dollars in expense and liability that are not covered by traditional insurance policies, according to a senior risk-management executive who spoke recently to the West Michigan chapter of Financial Executives International.

That’s creating a new wave of policies to protect companies from incurring expenses when their digital defenses break down, according to Douglas J. Miller, a vice president in the executive risk practice of Hylant Group’s Ann Arbor office. Miller outlined the risks related to data security and privacy, as well as how companies can address and mitigate issues, during his talk to local members of FEI, a national organization for CFOs and other senior-level financial executives.

“Data security and privacy risk is a problem…it’s a big issue for organizations,” he said. “What’s really surprising to me is how quickly it’s risen to the top level of organizations.”

While operational and reputational risks have long been of prime concern to companies, fears related to data security have soared in recent years. In fact, Miller said, for the first time ever data security has become the number one concern among general counsels and corporate board members, according to research by FTI Consulting, a West Palm Beach, Fla.-based firm.

Miller talked about several high-profile breaches that have made headlines in the past year, including online shoe retailer Zappos, which lost information on more than 24 million customers, and Sony Corp., which had the names and credit card information of more than 100 million PlayStation accounts stolen by hackers. The PlayStation breach reportedly cost Sony more than $1 billion, including measures to fix and secure the network, as well as legal defense from more than 55 class-action suits.

The $800,000 laptop

While high-profile hacker cases grab headlines, even the seemingly mundane theft of laptops can be a huge problem for companies.

More than 12,000 laptops are stolen or lost in U.S. airports every week, risk-management executive Doug Miller said recently during a presentation to West Michigan members of Financial Executives International.

Miller shared a story about a client in the healthcare business that had a laptop with information about 1000 patients go missing. When the laptop showed up four months later, the company brought in IT forensic specialists, who cracked the hard drive and were able to determine nobody had even looked at the data. That was the good news.

The bad news: during that four-month period when the laptop was missing, the company incurred $800,000 in costs to notify patients, hire a call center to address patient concerns, offer credit monitoring because there was billing information in the records and hire a PR firm.

“At the end of the day, there was no harm done [to the patients],” he said. Still, the privacy risk alone was enough to compel the company to comply with federal and state notification laws, and to take steps to protect and communicate with its customers.

--Reported by Brian Edwards

While the cost of notifying government officials, plugging the IT holes and communicating with customers can be considerable after a breach like Sony’s, it’s often what happens in the aftermath that costs the most.

“A lot of times it’s not the breach itself that costs the most money,” Miller told the audience. “It’s the follow-on lawsuits or litigation that really causes these companies heartburn.”

In addition to the hard costs of litigation and mitigation, data breaches can also create longer-term PR issues for companies who’ve been victimized, he said.

Insurance policies may have some elements of public relations expense reimbursement in [policy] coverage, he said, “but that’s not going to bring your customers back. It might help spin it a little bit, but if you have one of these breaches, it’s the reputational piece, I think, that’s the biggest issue in general.”

Cyber security insurance has existed as a highly specialized niche product for about 10 years, but was only offered by a few global insurers. In the past five years, the number of insurers offering such policies has grown because companies are realizing that traditional policies weren’t designed to address data breaches and privacy risk, he said.

“You may have certain aspects of it any given insurance policy, but none of [the policies] is designed to holistically address this type of risk,” he said.

For example, most companies have business interruption coverage as part of their property policy. That coverage, though, is for tangible risks such as fire, flood or windstorm, but “not for hackers or a virus taking down your network,” he said.

The only place to get that type of business insurance interruption coverage is on one of the new cyber-risk insurance policies, he said. He estimates that less than 10 percent of companies have cyber-risk or data-security privacy risk policies, but predicts that number will grow quickly over the next decade.

“In 10 years, [it] will probably be a regular part of your commercial policy,” he said.